A new critical vulnerability affecting PAN-OS has been identified and published last week, putting organizations using Palo Alto Networks’ firewalls at risk. In this blog post, we will demonstrate how you can use Microsoft Security tools discover assets in your organization that are vulnerable to the new critical unauthenticated Remote Code Execution (RCE) flaws in PAN-OS and provide guidelines on remediation. Additionally, we will show you how to use the capabilities of Attack Path analysis together with the Microsoft Security tools to identify how attackers could potentially gain access and reach critical assets in your organizations.

Impact

These vulnerabilities pose significant risks to organizations using PAN-OS. The authentication bypass vulnerability could allow unauthorized access to sensitive data and systems, while the privilege escalation vulnerability could enable attackers to gain higher-level permissions, potentially leading to full system compromise. When combined, these vulnerabilities can be particularly dangerous, as an attacker could first gain access through the authentication bypass and then escalate their privileges, maximizing the potential damage.  It is crucial for organizations to promptly assess and mitigate these vulnerabilities to protect their network infrastructure and maintain security integrity.

Recommendations for Mitigation and Best Practices   

• Upgrade to the latest version of PAN-OS
• Secure Management Interface Access - Restrict access to the management interface to trusted IP addresses only, enhancing security by limiting potential attack vectors. Use features like JIT (just in time access) for reducing the risk of exploitation. Read more
• Minimize Exposure: JIT access ensures that the management interface is not continuously exposed, reducing the risk of unauthorized access

Mapping CVE-2024-0012 and CVE-2024-9474 vulnerabilities in your organization      

The first step in managing an incident is to identify and map affected software within your organization’s assets.

Using Microsoft Defender Vulnerability Management

Defender Vulnerability Management solution provides a comprehensive vulnerability assessment across all your devices. You can search the vulnerability by either searching for the CVE or for Pan-OS in the search function of Vulnerability Management weaknesses page, and then view the detailed list of the affected software within your organization
 

Find the vulnerabilities in weaknesses page

Using Advanced Hunting

To map the presence of CVE-2024-0012 or CVE-2024-9474 in your environment, you can use the following KQL query or this link. This query searches software vulnerabilities related to the specified CVE and summarizes them by device name, OS version and device ID:

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2024-0012", "CVE-2024-9474") | summarize by DeviceName, DeviceId, strcat(OSPlatform, " ", OSVersion), SoftwareName, SoftwareVersion

Using Defender for Cloud

Cloud Security Explorer  

You can use the Cloud Security Explorer feature within Defender for Cloud to perform queries related to your posture across Azure, AWS, GCP, and code repositories. This allows you to investigate the specific CVE, identify affected machines, and understand the associated risks.

We have created specific queries for this CVE that help you to easily get an initial assessment of the threat this vulnerability creates for your organization, with choices for customization:

• Vulnerable virtual machines
• Vulnerable pods

Searching cloud security explorer for the two CVEs

Defender for Cloud Attack path’s:

Using attack path analysis, you can easily find all your exposed machines that are also potentially accessible for attackers. Use the following attack path title to filter the view only for exposed machines: 

Internet exposed Azure VM with PAN-OS vulnerabilities (CVE-2024-0012, CVE-2024-9474)

Note: These attack path updates are rolling out and should be available for all customers within hours 

Recommendations for Mitigation and Best Practices

Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations:

• Apply Patches and Updates: Regularly update all software to fix known vulnerabilities. Use Defender Vulnerability Management for monitoring and enforcing patch compliance.
• Application Blocking: Use Defender Vulnerability Management to block vulnerable or malicious software when a CVE is assigned. Available only in Defender Vulnerability Management premium plans. (learn more).
• Remediate vulnerabilities: Follow Defender for Cloud’s recommendations to fix affected VMs and containers across your multi-cloud environment. (learn more).
• The "Emerging Threat" risk factor: Utilize Defender for Cloud’s risk factor to prioritize patching vulnerable resources. This factor is regularly updated to stay relevant.
• Exposure Management: Adopt a proactive security mindset by learning how Exposure Management can help you gain cross organizational visibility of your attack surface and any attack paths that come up due to new threats or vulnerabilities.
  • Keep monitoring your environment using attack path analysis to block possible attack routes, using either the visualization tool under Exposure Management in Security.microsoft.com portal or the ‘graph-match’ KQL command (learn more).
  • Proactively use Vulnerability Assessment security initiative in Exposure Management to aid in prioritization of critical assets. (learn more)

Conclusion

By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment.  While the preceding process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.